The GnuPG Project is pleased to announce the availability of Libgcrypt version 1.8.0. This is a new stable version of Libgcrypt with full API and ABI compatibility to the 1.7 series. Its main features are support Blake-2, XTS mode, an improved RNG, and performance improvements for the ARM architecture.

A new form of malware has proved to be one of the most advanced Android information-stealers ever discovered, enabling attackers to open a backdoor in order to monitor data, steal information, record audio and video, and even infect the phone with ransomware.

Dubbed GhostCtrl, the malware can stealthily control many of the infected device's functions -- and researchers have warned that that this is just the beginning, and the malware could evolve to become a lot worse.

Security firm UpGuard has disclosed that nearly four million accounts of users of financial publishing company Dow Jones were exposed in a cloud-based file repository which had been configured to allow semi-public access.

Moskopp discovered that he could hide malicious VBScript inside names of MSI files. When the user accesses a folder on his computer where this malicious MSI file is saved, GNOME Files will would automatically parse the file to extract an icon from its content and display it in the file explorer window.

The problem is that when parsing the MSI file looking for its icon, GNOME Files also reads the filename and executes the code found within.

The attack encrypted files on “a small percentage” of Microsoft computers, though it appeared that the virus had detected “many more” computers and servers and was preparing to encrypt their files, too, before KQED’s technical staff was able to isolate the bug.

Some metaphorical insight is to be gained in the comparison between reading and writing, and reaping and sowing. Changes in technology that facilitate physical contact between laborers and their element, be it a blank page or a fallow field, bring farmers and literary scholars into a more direct, non-figurative conversation, concerning the nature of electronic goods.

Almost two months ago, we reported about a 7-year-old critical remote code execution vulnerability in Samba networking software, allowing a hacker to remotely take full control of a vulnerable Linux and Unix machines.

[...]

Dubbed SHELLBIND, the malware works on various architectures, including MIPS, ARM and PowerPC, and is delivered as a shared object (.SO) file to Samba public folders and loaded via the SambaCry vulnerability.

Over the years hackers have hijacked many domain names by manipulating their DNS records to redirect visitors to malicious servers. While there’s no perfect solution to prevent such security breaches, there are actions that domain owners can take to limit the impact of these attacks on their Web services and users.

The owners of the Ashley Madison cheating-dating website have agreed to pay $11.2 million to settle two dozen data breach lawsuits as a result of a 2015 incident involving as many as 37 million members' personal identifying information being exposed online. The deal (PDF) earmarks up to one-third, or about $3.7 million, for attorneys' fees and costs. An additional $500,000 has been set aside to administer the remaining $7 million earmarked for Ashley Madison members.

These IP cameras are available with full support and regular updates from industrial suppliers at prices ranging from several hundred to a few thousand dollars per camera. They are commonly sold in systems that include cameras, installation, monitoring and recording systems and software, integration, and service and support. There are a few actual manufacturers of the cameras, and many OEMs place their own brand names on the cameras.

There was a recent Cryptoparty Belfast event that was aimed at a wider audience than usual; rather than concentrating on how to protect ones self on the internet the 3 speakers concentrated more on why you might want to. As seems to be the way these days I was asked to say a few words about the intersection of technology and the law. I think people were most interested in all the gadgets on show at the end, but I hope they got something out of my talk. It was a very high level overview of some of the issues around the Investigatory Powers Act - if you’re familiar with it then I’m not adding anything new here, just trying to provide some sort of details about why it’s a bad thing from both a technological and a legal perspective.

In a research paper published at the end of February, a team of five scientists from the Graz University of Technology has described a novel method of leaking data from SGX enclaves, a secure environment created by Intel CPUs for storing sensitive information for each process, such as encryption keys, passwords, and other.

Starting with the Skylake line, Intel introduced a new hardware extension called SGX (Software Guard Extensions) that isolates the CPU memory at the hardware level, creating safe spaces where applications can store information that only they can write or read.

In measured boot, each component of the boot process is "measured" (ie, hashed and that hash recorded) in a register in the Trusted Platform Module (TPM) build into the system. The TPM has several different registers (Platform Configuration Registers, or PCRs) which are typically used for different purposes - for instance, PCR0 contains measurements of various system firmware components, PCR2 contains any option ROMs, PCR4 contains information about the partition table and the bootloader. The allocation of these is defined by the PC Client working group of the Trusted Computing Group. However, once the boot loader takes over, we're outside the spec[1].

Frequent Phoronix readers may recall that for more than one year a new Linux Random Number Generator has been in-development and today marked the 12th version of these patches being released.

This new random number generator, LRNG, aims to provide sufficient entropy during the boot time and in virtual environments as well as when using SSDs or DM targets. LRNG has been in development by Stephan Müller.

Adding to the list of changes/features you will not find in Linux 4.13 is AMD's Secure Memory Encryption as supported by the new EPYC processors.

AMD has been posting Secure Memory Encryption patches for the Linux kernel going back to last year, but so far have not been merged to mainline. The code continues to be updated and published today was the tenth version of these patches.

Most people have never heard of the software that makes up the machinery of the internet. Outside developer circles, its authors receive little reward for their efforts, in terms of either money or public recognition.

One example is the encryption software GNU Privacy Guard (also known as GnuPG and GPG), and its authors are regularly forced to fundraise to continue the project.

GnuPG is part of the GNU collection of free and open source software, but its story is an interesting one, and it begins with software engineer Phil Zimmermann.

We do not know exactly what Zimmermann felt on January 11, 1996, but relief is probably a good guess. The United States government had just ended its investigation into him and his encryption software, PGP or “Pretty Good Privacy”.

The latest State of the Software Supply Chain Report from DevOps tools specialist Sonatype reveals that organizations which actively manage the quality of open source components flowing into production applications realize a 28 percent improvement in developer productivity, a 30 percent reduction in overall development costs, and a 48 percent increase in application quality.

The head of Nokia’s software business is very much a believer in open source, which might come as a surprise to some considering the telecom vendor’s deep ties to proprietary software.

Of course, “open source does not mean free,” said Bhaskar Gorti, president of Applications & Analytics at Nokia. “Open source, in fact, if anything, is a great opportunity for us to increase our R&D velocity.”

Many open source components exist in the world—but most of them have been built for a generic IT environment, not a telco grade, and that’s what a lot of people are looking to get from Nokia. VMware and Red Hat are among its partners.

To some, the terms ‘open source’ and ‘security’ may not exactly go hand in hand. Characterized by its transparent code—which means it’s highly accessible to anyone— as opposed to ‘closed’, proprietary systems, it’s no wonder that some still have the misperception that open source is the more vulnerable party. In an open source environment, companies as well as communities of sorts are able to access and contribute to the code. This often gives off the impression that because it is open, it must be fully exposed to risks and viruses.

But today, open source is pervasive. The world as we know it is changing — technology is evolving faster today than it has at any other point in human history. And open source is the reason for that; it is the driving force behind many of today’s technology innovation that we see. Today’s enterprises simply cannot rely on a proprietary piece of source code to manage their increasing multitude of applications that are powering their critical business transactions.

And with the rising adoption of this software, there has never been a better time to learn the truth about misconceptions of open source security.

Ventura will this detail a more active approach to intrusion prevention - where defenders can use basic network software applications to look for threats and stop attacks - later this month in his Black Hat USA talk entitled "They're Coming for Your Tools: Exploiting Design Flaws for Active Intrusion Prevention."

The official’s emails were primarily conversations among Russia experts in government, including the intelligence community, exchanging articles, newsletters, and thoughts on current events. The official corresponded frequently with other Russia experts in academia and the think-tank world.

Kali Linux is one of the most famous and widely used Linux distributions for security testing, digital forensics and penetration testing. It has grown in popularity so fast that it is now perceived as an essential part of every security expert (and hacker) toolkit.

Almost 20 years have passed since the corporate world woke up to long-term problems in computer code, which became known as Y2K. Over the previous decades, software developers had used the date 01-01-00 (January 1, 2000) as a convenient hack to make it easier to debug software. The problem was that it wasn’t taken out. So as 2000 loomed, there was a realization that, when the clocks hit midnight, software all over the world could simply stop running. Thankfully, at a cost of a few billion dollars, the software was audited and patched, and businesses went back to worrying about other things.

But at a recent workshop organized by the Ford and Sloan Foundations, I learned that Y2K-type concerns are far from over. And unlike Y2K itself, they are much harder to identify, let alone fix.

A vulnerability hidden in Kerberos code for more than 20 years met its end in patches issued this week by Microsoft and several Linux vendors.

Having found the flaw three months ago in Heimdal, an open-source implementation of Kerberos, Jeffrey Altman, founder of AuriStor, and Viktor Dukhovni and Nicolas Williams from Two Sigma Investments, dubbed the bug Orpheus' Lyre.

On Wednesday, the Samba Team released new security updates to fix a vulnerability in "all versions of Samba from 4.0.0 onward using embedded Heimdal Kerberos," according to an announcement from the United States-Computer Emergency Readiness Team (US-CERT).

More in Tux Machines

Debian-Based Q4OS Linux Distro to Get a New Look with Debonaire Desktop Theme

Q4OS is a small GNU/Linux distribution based on the latest Debian GNU/Linux operating system and built around the Trinity Desktop Environment (TDE). It's explicitly designed to make the Microsoft Windows to Linux transition accessible and more straightforward as possible for anyone.
Dubbed Debonaire, the new desktop theme uses dark-ish elements for the window titlebar and panel. Somehow it resembles the look and feels of the acclaimed Arc GTK+ theme, and it makes the Q4OS operating system more modern than the standard look offered by the Trinity Desktop Environment.

today's leftovers

Emmabuntüs recently released a video where they explain the goals and reasons of the project, current achievements and show people who really use this operating system. You can also see the members of the project live.

The U.S. Commerce Department's National Institute of Standards and Technology (NIST) has issued the second draft of the proposed update to the Framework for Improving Critical Infrastructure Cybersecurity—also known as the Cybersecurity Framework. The American National Standards Institute (ANSI) encourages all relevant stakeholders to submit draft comments to NIST by the deadline on Friday, January 19, 2018.

VLC 3.0 is something we've been looking forward to for years and it's looking like that big multimedia player update could be released very soon.
Thanks to Phoronix reader Fran for pointing out that VLC 3.0 release candidates have begun to not much attention. VLC 3.0 RC1 was tagged at the end of November and then on Tuesday marked VLC 3.0 RC2 being tagged, but without any official release announcements.

A new major release is available of Cryptsetup, the user-space utility for dealing with the DMCrypt kernel module for setting up encrypted disk volumes.
Cryptsetup 2.0.0 is notable in that it introduces support for the new on-disk LUKS2 format but still retaining support for LUKS(1). The LUKS2 format is security hardened to a greater extent, more extensible than LUKS, supports in-place upgrading from LUKS, and other changes.

There is no doubt Facebook is one of the most popular and dynamic social network platform in the modern Internet era. It has revolutionized technology, social networking, and the future of how we live and interact. With Facebook, We can connect, communicate with one another, instantly share our memories, photos, files and even money to anyone, anywhere in the world. Even though Facebook has its own official messenger, some tech enthusiasts and developers are developing alternative and feature-rich apps to communicate with your buddies. The one we are going to discuss today is Caprine. It is a free, elegant, open source, and unofficial Facebook messenger desktop app built with Electron framework.

It turns out that if firing up KDE's KWin Wayland compositor without XWayland support, it can start up so fast that it causes problems.
Without XWayland for providing legacy X11 support to KDE Wayland clients, the KWin compositor fires up so fast that it can cause a crash in their Wayland integration as KWin's internal connection isn't even established... Yep, Wayland compositors are much leaner and cleaner than the aging X Server code-base that dates back 30+ years, granted most of the XWayland code is much newer than that.

NetworkManager now has support for Intel's lean "IWD" WiFi daemon.
IWD is a lightweight daemon for managing WiFi devices via a D-Bus interface and has been in development since 2013 (but was only made public in 2016) and just depends upon GCC / Glibc / ELL (Embedded Linux Library).

Linux Foundation: Servers, Kubernetes and OpenContrail

The Cloud Native Computing Foundation, home of the Kubernetes open-source community, grew wildly this year. It welcomed membership from industry giants like Amazon Web Services Inc. and broke attendance records at last week’s KubeCon + CloudNativeCon conference in Austin, Texas. This is all happy news for Kubernetes — the favored platform for orchestrating containers (a virtualized method for running distributed applications). The technology needs all the untangling, simplifying fingers it can get.
This is also why most in the community are happy to tamp down their competitive instincts to chip away at common difficulties. “You kind of have to,” said Michelle Noorali (pictured), senior software engineer at Microsoft and co-chair of KubeCon + CloudNativeCon North America & Europe 2017. “These problems are really hard.”

Network slicing is poised to play a pivotal role in the enablement of 5G. The technology allows operators to run multiple virtual networks on top of a single, physical infrastructure. With 5G commercialization set for 2020, many are wondering to what extend network functions virtualization (NFV) and software-defined networking (SDN) can help move network slicing forward.

Juniper Networks has announced its intent to move the codebase for OpenContrail, an open-source network virtualisation platform for the cloud, to the Linux Foundation. OpenContrail provides both software-defined networking (SDN) and security features and has been deployed by various organisations, including cloud providers, telecom operators and enterprises to simplify operational complexities and automate workload management across diverse cloud environments.

Juniper Networks plans to move the codebase for its OpenContrail open-source network virtualization platform for the cloud to the Linux Foundation, broadening its efforts to drive more software innovations into the broader IT and service provider community.
The vendor is hardly a novice in developing open source platforms. In 2013, Juniper released its Contrail products as open sourced and built a user and developer community around the project. To drive its next growth phase, Juniper expanded the project’s governance, creating an even more open, community-led effort.

The annual Open Source Jobs Report from Dice and The Linux Foundation reveals a lot about prospects for open source professionals and hiring activity in the year ahead. In this year’s report, 86 percent of tech professionals said that knowing open source has advanced their careers. Yet what happens with all that experience when it comes time for advancing within their own organization or applying for a new roles elsewhere?